.NET/MSIL Malicious Code and AV/Heuristic Engines

by Markus Schmall

he .NET strategy/technology from Microsoft has caused quite a stir amongst the security community. While the Windows .NET strategy incorporates numerous aspects, this article will focus on what aspects to cover in order to develop an AV/heuristic engine for this new platform. Specifically it will address the additions introduced by .NET technologies to standard Windows PE (portable executable) file format and how that will affect the development of an effective heuristic engine. It will also briefly discuss the existing malicious codes for the .NET environment.
To better understand the PE file format and the .NET extensions, this article will use "HelloWorld" as an example. It can be downloaded here. At this location, readers will also find basic sources for parsing the Microsoft Intermediate Language (in the following referred to as MSIL) and a complete AV module for scanning .NET/MSIL malicious codes.